We undertake our statutory duties to promote Turkish culture and tourism under the brand "GoTurkey".
- Methods of collecting personal data and legal grounds,
- Data subject categorization,
- The category of personal data processed in relation to these groups of persons (Data Categories) and sample data types
- Personal data processing processess and purposes,
- Technical and administrative measures taken to ensure the security of personal data,
- Personal data sharing,
- Personal data retention periods,
- Marketing and research information,
- Data subjects rights,
- Coookies and cookie management
Methods of collecting personal data and legal grounds
We process personal data in line with following legal grounds:
- explicit consent of data subject,
- If it is clearly stipulated in laws,
- If it has been made public by the person concerned,
Based on that legal reasons TGA collects personal data over TGA’s websites, mobile websites, social media accounts and cookies.
Data subject categorization
TGA categorizes the data subject groups whose personal data are processed in personal data processing processes and activities related to these processes as follows:
- Online visitors, who just visited TGA’s website and mobilewebsite
- Users, who opened an account on TGA’s webpage and mobile webpage.
The personal data that TGA collects and processes
Online visitors: TGA collect and process IP address, port info, starting, and ending time of the service given, type of the service, the amount of data transferred and if available subscriber ID information in accordance with the Law numbered 5651.
Users: Account information (name, last name, e-mail address, location (country), direct marketing opt-in/opt-out choice, alternative login option with Facebook or Google (e-mail address).
Personal data processing processess and purposes
TGA process online visitors personal data based on the Internet Law. It is compulsory for website owners to collect and keep abovementioned information in order to combat illegal online content. , If you register TGA’s website as a user and plan a trip to Turkey, we may use your name and e-mail address to send you necessary information about your visit. If you (visitor or user) click opt-in/agree button on the webpage or mobile webpage for direct marketing, TGA could send you marketing e-mails.
The type of personal information that GoTurkey collects may include your name, contact details, your views and opinions about GoTurkey services. If you use this website, information is recorded about your visit for web personalisation, research and statistical and reporting purposes as well as to allow us to improve the website, product and services.
Information provided by you
Whenever you interact with us, you may be asked to provide us with necessary information. For example:
Some of our products or services may require you to create an account or register certain information (your name, address, email address, date of birth, location, contact details, applicable device ID(s) relating to the devices you are using to access and receive particular applications and services, interests and account and marketing preferences) in order to use a particular product or service.
If you contact us forvia written communications or via our website(s), telephone, email, or our social media channels), we may keep information about the particular communication, including your name, the service(s) you request, the reason why you contacted us, and the advice we gave you so we can track the resolution of any user request and enhance .
When you visit us at a public event, such as a trade show or exhibition or participate in one of our surveys, competitions or prize draws, we may ask for information, such as your business card, name, contact details, interests and marketing preferences.
When you use our services or other platforms, we may receive content that you choose to upload, such as product reviews, comments, photos or details of your preferences that you choose to tell us about.
Information we collect from social networks
If you use any of our social network pages or applications or you use one services that allow interaction with social networks, we may receive information relating to your social network accounts:
If you log-in to one of our websites, s or services using your social network account, we may receive basic details from your social network profile which may depend on your social network account's privacy settings. We may also receive additional information from your profile if you give us permission to access it.
We may receive information about interactions with the content posted to your profile or feed.
Information we collect when you use websites, products, services from us
In order to improve and provide a better user experience, some of our websites and services provide us with information about your use of them, including:
Details of your usage patterns, the content that you view and interact with including information on the services and applications you are using in-device to personalise services to your specific needs.
Service, product or server logs, which hold technical information about your use of our service, product or websites, such as your IP address (to determine your location/country of origin), device ID(s) etc.
Interests and preferences that you specify during set up or registration of any service.
1.How the personal information that you provide to us or we collect is used:
We may use information for the following purposes:
Create and manage customer database(s) of its users including basic account information, applicable device ID(s), related product or service usage information and customer preference information you provide us. We may consolidate several databases into one or otherwise link separate databases to manage your accounts more effectively.
Ask for your opinions about our products and services and conduct surveys.
Facilitate and process your searches and requests for information when you contact us about our websites and services.
Hold competitions and other promotional offers across all platforms, contact winners and to fulfil prizes to winners.
We may use your information to provide you with product and service updates, newsletters and other communications about existing and/or new products and services by post, email, telephone, in-device messaging and/or text message (SMS), if you have provided your consent or we are permitted to do so under applicable law.
We may use the information we collect or you share with us to personalise our services, content, recommendations and adverts.
We may use your information to create user group profiles or segment data and to otherwise create anonymous, aggregated statistics about the use of our websites, products and services which we may share with third parties and/or make available to the public.
We may use your information to improve our products, services and applications and develop recommendations, advertisements and other communications and learn more about customers' shopping preferences in general.
Where you have uploaded product reviews, comments or content to our websites or services and made them publicly visible, we may link to or publish these materials elsewhere including in our own advertisements.
We may link or combine the information that we collect from the different sources to allow us to provide more seamless customer support whenever you contact us and to provide you with better, personalised services, content, marketing and adverts.
Technical and administrative measures taken to ensure the security of personal data
We use generally accepted standard technologies and operational security methods, including the standard technology called Secure Socket Layer (SSL), to protect the personal information collected. However, due to the nature of the Internet, information can be accessed by unauthorized persons over networks without the necessary security measures. We take technical and administrative measures to protect your data from risks such as destruction, loss, tampering, unauthorized disclosure or unauthorized access, depending on the current state of technology, the cost of technological implementation, and the nature of the data to be protected. Within this scope, we conclude data security agreements with the service providers we work with.
- Ensuring Cyber Security: We use the cyber security products to ensure personal data security, but our technical measures are not limited to this. The first line of defense against attacks from environments such as the Internet is established through measures such as firewall and gateway. However, almost every software and hardware is subjected to a number of installation and configuration operations. Considering that some of the commonly used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from the devices. Therefore, such unused software and services are primarily preferred because of their ease of deletion rather than keeping them up to date. The patch management and software upgrades ensure that the software and hardware work properly and that the security measures taken for the systems are sufficient to check regularly.
- Access Restrictions: Access rights to systems containing personal data are restricted and reviewed regularly. Within this scope, employees are granted access rights to the extent necessary for their work and duties and their powers and responsibilities, and access to related systems is provided by using user name and password. When creating these passwords and passwords, combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of numbers or letter sequences related to personal information that can be easily guessed. Accordingly, the access authorization and control matrix is established.
- Encryption: In addition to using strong passwords and passwords, limiting the number of password entry attempts to protect against common attacks such as the use of brute force algorithm (BFA), ensuring that passwords and passwords are changed periodically, and administrator account and admin privileges are opened only for use when needed. and for employees who have been dismissed from the Data controller, access is restricted without delay, such as deleting an account or closing entries.
- Antivirus Software: In order to protect against malware, products such as antivirus, antispam, which regularly scans the information system network and detect hazards are used, and the required files are regularly scanned. If personal data will be obtained from different internet sites and/or mobile application channels, it is ensured that the connections are made via SSL or more secure way.
- Monitoring of Personal Data Security: Checking which software and services are operating in information networks, Determining whether there is any infiltration or non-infiltration in IT networks, Keeping the transaction transactions of all users regularly (such as log records), Security problems as fast as possible reporting. A formal reporting procedure is also set up for employees to report security weaknesses in systems and services or threats using them. Evidence is collected and stored securely in the event of undesired events such as information system crash, malicious software, decommissioning attack, missing or incorrect data entry, violations of privacy and integrity, abuse of information system.
- Ensuring the Security of Personal Data Environments: If personal data is stored on the devices of the responsible persons or in the media, physical security measures are taken against threats such as theft or loss of these devices and papers. The physical environments containing personal data are protected against external risks (fire, flood, etc.) by appropriate methods and the entrances / exits to these environments are controlled.
If personal data is in electronic form, access between network components can be restricted or separated to prevent personal data security breach. For example, if personal data is being processed in this area by limiting it to a specific portion of the network in use, which is reserved for this purpose, the available resources can be reserved for the security of this limited area, not the entire network.
Measures at the same level are also taken for paper media, electronic media and devices containing personal data of the Company located outside the Company campus. As a matter of fact, although personal data security violations frequently occur due to theft and loss of devices containing personal data (laptop, mobile phone, flash disk, etc.), personal data to be transmitted by e-mail or mail is also sent carefully and with adequate precautions. Sufficient security measures are also taken in case employees provide access to the information system network with their personal electronic devices.
The use of access control authorization and / or encryption methods is applied in case of loss or theft of devices containing personal data. In this context, the password key is stored only in the environment accessible to authorized persons and unauthorized access is prevented.
Paper documents containing personal data are also stored in a locked and accessible environment only, and unauthorized access to these documents is prevented.
If any personal data is obtained by others by unlawful means, the Company shall inform the Personal Data Protection Committee and the data subjects of this fact as soon as possible pursuant to article 12 of the Personal Data Protection Law. if they see necessary, the Personal Data Protection Committee may announce this situation at the website or in by any other means.
- Storage of Personal Data in the Cloud: In the event that personal data is stored in the cloud, it is necessary for the Company to assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, two-step authentication control is applied for knowing, backing up, synchronizing the personal data stored in the cloud and providing remote access if necessary. During the storage and usage of the personal data in the said systems, it is provided to be encrypted with cryptographic methods, to be encrypted and sent to the cloud environments, and to the use of individual encryption keys where possible for the personal data, in particular for each cloud solution received. When the cloud service relationship ends, all copies of the encryption keys, which may be used to make personal data available, are destroyed. Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.
- Information Technology Systems Procurement, Development and Maintenance: Security requirements are taken into consideration when determining the requirements related to the procurement, development or improvement of new systems by the Company.
- Backing up of Personal Data: In case of personal data being damaged, destroyed, stolen or lost due to any reason, the Company makes use of the backed up data as soon as possible. The backed up personal data is accessible only by the system administrator, and data set backups are excluded from the network.
- All activities carried out by our company have been analyzed in detail in all business units and as a result of this analysis, a process-based personal data processing inventory has been prepared. Risky areas in this inventory are identified and necessary legal and technical measures are taken continuously. (For example, the documents to be prepared within the scope of KVKK have been prepared considering the risks in this inventory)
Personal data processing activities carried out by our company are audited by information security systems, technical systems and legal methods. Policies and procedures regarding personal data security are determined and regular controls are conducted within this scope.
- From time to time, our company may provide services from external service providers to meet information technology needs. In this case, we ensure that these Data Processing external service providers meet at least the security measures provided by our Company. In this case, a written agreement is signed with the Data Processor and the contract includes at least the following points:
- The Data Processor acts only in accordance with the instructions of the Data controller, the purpose and scope of the data processing specified in the agreement, the Personal Data
Protection and other legislation; o The Data Processor acts in accordance with the Personal Data Retention and Destruction
Policy; o The Data Processor is obliged to keep any data confidential indefinitely in relation to the personal data processed;
- In the event of any data violation, the Data Processor is obliged to inform the Data controller of it immediately;
- Our Company will perform or have the necessary audits performed on the Data Processor's systems containing personal data, and may review the reports and service provider on the spot; o Our Company will take the necessary technical and administrative measures for the security of personal data; and
- Furthermore as long as the nature of the relationship between the Data Processor and us is suitable, the categories and types of the personal data transferred to the Data Processor are also specified in a separate article.
- As emphasized in the guidelines and publications of the Authority, personal data is reduced as much as possible within the framework of the data minimization principle, and personal data that is not required, outdated and does not serve a purpose are not collected and if collected in the previous period of the Personal Data Protection Law, a data in accordance with the Personal Data Retention and Disposal Policy is destroyed.
- The employees specialized in technical issues are employed.
- Our Company has set provisions on confidentiality and data security in the Employment Agreements to be signed during the recruitment process of its employees and requests that the employees comply with these provisions. The employees are regularly informed and trained about the personal data protection law and taking necessary measures in accordance with this law. The roles and responsibilities of the employees have been revised and their job descriptions have been revised.
- Technical measures are taken in accordance with technological developments, and the measures taken are periodically checked, updated and renewed.
- The access authorizations are limited and reviewed regularly.
- The technical measures taken are regularly reported to the authorized person, and the issues that constitute risk are reviewed and efforts are made to produce the necessary technological solutions.
- Software and hardware including virus protection systems and firewalls are installed.
- The backup programs are used to ensure the safe storage of personal data.
- Security systems are used for storage areas, technical measures taken are periodically reported to the person concerned as a result of internal controls, risk issues are re-evaluated and necessary technological solutions are produced. The files/printouts stored in the physical environment are stored by the supplier companies and then disposed of in accordance with the established procedures.
The protection of personal data is also accepted by the top management, a special Committee (the Personal Data Protection Committee) has been established and started to work. A management policy regulating the working rules of the Company's KVK Committee has been put into effect within the Company and the duties of the KVK Committee have been explained in detail.
Personal data sharing
In general, we do not share or disclose information about you to third parties without your consent unless GoTurkey is required to or authorised by laws.
We may use other third party service providers including data analytics providers who process information on our behalf, consultants, marketing agencies, Professional advisers, Ministries or business partners with whom GoTurkey has a formal relationship with.
Our service providers are required to only process data in line with this Policy.
If you request or agree to receive information or newsletters from one of our business partners, we may provide that third party with your details so that they can contact you and/or respond to your request.
We may use and/or disclose information about you to:
(i) Government bodies and law enforcement agencies to prevent fraud, to comply with applicable laws, regulations and court orders and to comply with valid legal information requests from such bodies. To that extent TGA could share traffic data with law enforcement and the Turkish Information Technologies and Communication Authority based on the Internet Law.
(ii) Third parties (including professional advisors) to enforce or defend our legal rights or the terms and conditions of any of our websites, products or services
(iii) A third party purchaser or seller, and its and our professional advisors, in connection with a corporate event such as a reorganisation, merger, business acquisition or insolvency situation
- iv) Based on the commercial electronic message approval, the commercial electronic message is shared with the service provider in order to promote, advertise and offer benefits and opportunities in line with travel preferences,
We prepare anonymous data for a number of purposes. The information may be shared with our partners, advertisers, media and public as you cannot be identified from this information.
3. International transfers of your information
GoTurkey's management is conducted under Republic of Turkey Ministry of Culture and Tourism and is based in Ankara, Turkey. We have an international network of offices for promoting the development of tourism to and within Turkey and encouraging people to visit Turkey. We may disclose your personal information internationally as part of our marketing functions.
4. Direct Marketing communications
When you provide us with contact details, you may be given the opportunity to opt-in to receiving various newsletters and other communications from us.
You can change your marketing communication preferences at any time.
If you use more than one e-mail address to contact us on, you will need to unsubscribe separately for each email address.
Please note that we may send you important information about our products and services that you are using or have used including essential software updates, changes to applicable terms and conditions and/or other communications or notifications as may be required to fulfil our legal obligations arising from the Law on the regulati.
6. Cookies and Cookie Managament
7. Links to third party sites
Some of our websites may contain links to other third party websites that are not operated by us. We are not responsible for the content, security or privacy practices of those third party websites. Please view the privacy and cookie policies displayed on those third party websites.
Personal data retention periods
TGA has a Personal Data Retention Policy, whic has been prepared in accordance with the DPL. We keep personal data following periods:
- We keep online visitors traffic data 2 years based on the Internet Law.
- We keep login info of users until he/she close his/her account.
- We keep opt-in, opt-out records for 1 year from the date of withdraw and other records regarding commercial electronic messages for 1 year based on the Bylaw on Commercial Communications And Commercial Electronic Messages.
We may use your information to create user group profiles or segment data and to otherwise create anonymous, aggregated statistics about the use of our websites, products and services which we may share with third parties and/or make available to the public. In order to create user group profile, instead of sharing personal data directly with our providers, we use pseudonymisation.
Data subjects rights
You are entitled (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law) to:
- Request access to the personal data that TGA process about you. This right entitles you to know whether TGA hold personal data about you and, if TGA do, to obtain information on and a copy of that personal data.
- Request a rectification of your personal data: this right entitles you to have your personal data be corrected if it is inaccurate or incomplete.
- Object to the processing of your personal data.
- Request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
- Request the restriction of the processing of your personal data.
- Request portability of your personal data: You can request a copy in a structured, commonly used and machine-readable format of personal data that you have provided to TGA, or request TGA to transmit such personal data to another data controller.
- To know the third parties to whom his/her personal data are transferred in country or abroad.
- To object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems, including profiling
- To claim compensation for the damage arising from the unlawful processing of his/her personal data.
If processing of your personal data is based on your consent, you have the right to withdraw such consent at any time by contacting email@example.com.
If, despite TGA’s efforts to protect your personal data, you believe that your data privacy rights have been violated, TGA encourage data subjects to apply to TGA first to seek resolution of any complaint. data subjects have the right at all times to lodge a complaint with the relevant DPA.
Acceesibility for All
TGA aims to eliminate visual barriers for people with disabilities. In order to support that aim, TGA’s website use the World Wide Web Consortium’s Web Content Accessibility Guidelines (WCAG) 2.1.